weave
module · Networking

Checkpoint

Check Point — security gateways, access rules, NAT, publish

Namespace: weave checkpoint Env: CHECKPOINT_SERVER
5
Commands
1
State kinds
Networking
Category
1
API docs

Setup

Configure credentials via environment variables. We recommend sourcing them through 1Password or your secrets manager rather than committing them to the shell rc.

Official API reference

weave commands for this module are checked against the vendor's published API.

Variable Description Status
CHECKPOINT_SERVERRequired for authentication.required
CHECKPOINT_USERNAMERequired for authentication.required
CHECKPOINT_PASSWORDRequired for authentication.required

Sanity-check the wiring:

weave secrets check
weave checkpoint --help
weave doctor   # reports CHECKPOINT_SERVER status

Capabilities

What this module can do, by entity and verb. means a working CLI surface; · means not (yet) wired.

Entity findlistshowdosnapshotdiffapply
access-rule······
gateway······
nat-rule······
session······
users····

Commands

Every registered CLI command, grouped by verb. Each example uses placeholder arguments — substitute real values for your environment.

list (3)

list access-rules

read

List access policy rules.

weave checkpoint list access-rules <arg>

list gateways

read

List security gateways.

weave checkpoint list gateways <arg>

list nat-rules

read

List NAT rules.

weave checkpoint list nat-rules <arg>

do (2)

do discard

write

Discard the current session.

weave checkpoint do discard <identifier>

do publish

write

Publish the current session.

weave checkpoint do publish <identifier>
snapshot / diff / apply are generated automatically from the State Kinds declared on this module — see the State kinds section below for per-kind details. Workflow: snapshot → edit YAML → diffapply --yes (or confirm interactively; apply --dry-run previews the same diff).

State kinds

Resources this module can snapshot and diff; apply where the kind supports live writes (see Round-trip per kind). Always run diff before apply; use --yes in automation after review. Files live under .weave-state/checkpoint/.

This module is on the thinner integration path — use snapshot / diff for audit; confirm apply per kind below before relying on writes.

users

snapshot diff apply

checkpoint users — field-level apply via REST.

Scope
Round-trip
Full round-trip — snapshot, diff, apply.

State file skeleton

module: checkpoint
kind: users
items:
  - # <fields specific to this kind — see snapshot output>

Workflows

End-to-end recipes from operators who already run this module in production. Copy, adapt, and put under change-control.

Users audit

Snapshot and diff users.

weave checkpoint snapshot users
$EDITOR .weave-state/checkpoint/users.yaml
weave checkpoint diff users
weave checkpoint apply users

Terraform parity

For each Terraform resource in the canonical provider, here's the equivalent live-API verb in weave. Use this as a migration cheat-sheet, not a 1:1 contract — weave deliberately stays in the live-state lane, not the desired-state lane.

Terraform resource weave equivalent
checkpoint_usersweave checkpoint snapshot/diff/apply users
Snapshot/diff for audit; confirm apply on the module page.

Troubleshooting & source

Missing credentials

Run weave doctor — it reports which env vars (including CHECKPOINT_SERVER) are set and which are blank.

Unexpected behaviour from a state apply

Re-run weave checkpoint diff <kind> to confirm the controller's current state, then re-snapshot before the next apply. The driver always re-snapshots before diffing.

Open the source

The module lives at https://github.com/andy-broyles/weavewhatever/tree/main/src/weave/modules/checkpoint. File a bug or feature request at https://github.com/andy-broyles/weavewhatever/issues.